[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: questions about acls.



Adam Shand wrote:

> okay i'm trying to lock down my ldap server and have a couple questions
> that i'm not sure about.
>
> so, here are some questions
>
> - what does the token "auth" actually mean and how is it different from
>   "compare"?
>

Auth grants access to an attribute for the purpose of binding a DN.   It's
sole use is to allow a user (probably an anonymous one) the ability to
authenticate as another DN.

Compare looks up a DN and tells you if it contains an attribute with a value
you have supplied.  Compare could be used to validate a cleartext password.

Perhaps you could say that authenticating allows you to 'become' a DN, while
compare allows you to check something.

>
> - which is the difference between "search" and "read" (does search mean
>   you can pass through a node without actually being able to read
>   data? like the execute bit on a unix directory without the read bit?)
>

Search permission is tested when an attribute name is used in a filter
expression.
Read permission is required before the server will send that attribute to
the client.  Your comparison with Unix directory is somewhat apt, and it may
have been the original inspiration -- but I digress.  If you want to grant.
OpenLDAP adds the ability to set 'read' permission to the 'entry', so that a
search can retrieve the DN of the entry, even though no values are returned.

>
> - what information does a user require access to in order to bind to the
>   ldap server?  obviously they need access to "userPassword" but
>   presumably they also need the ability to read their RDN, and to search
>   to the point where their DN is stored?
>

Not to bind.  All you need is a DN and a password.  You only need other
capabilities if you don't know your DN, but you do know other information
such as your email address.  Netscape uses this method to obtain your DN.

>
> - (sorry this is off topic but i'm hoping someone knows) does the
>   pam/nssldap user require (in my case proxyagent) write access for users
>   to be able to update their password via pam?  or do the pam libraries
>   bind as the user for that operation?
>

Can't answer that one.  Haven't played much with groups so I'll leave the
rest to someone else.  There are lots of previous questions like this in the
mailing lists.

>
> - is there anyway to be able to use an acl in the form of:
>
>   access to *
>     by group="cn=admin,ou=group,dc=example,dc=net" write
>     by * none
>
>   where the group "admin" is a "posixGroup" and the member are included
>   with the attribute "memberUid".  if not then how should i be doing it?
>   do i need to change "admin" from a "posixGroup" to a "groupOfNames"?
>
> if there is a stash of example acl's somewhere i'd love to know about it.
> i've ransacked the net but it's hard going finding examples doing what i
> want to do.
>
> thanks,
> adam.